Skip to main content

The Current State of SCAP Benchmarks & Possibly the Future

This blog excerpt is taken from our April 2023 newsletter. To view the rest of the newsletter, visit rmf.org/newsletter.

By Kathryn Daily, CISSP, CGRC (Formerly CAP), RDRP

As some may have heard, SCAP Compliance Checker (SCC) has lost funding from DISA as of the end of FY22 and as a result, their development team has been reduced to only 6 GS-13 developers. During FY23 they were able to get short term funding from a few government agencies and are now being funded by two anonymous donors. They have no prospects for funding for FY24. The plan as it has been communicated from the SCC dev team is that SCC will switch as a pay as you go model where government agencies (not commercial companies) will pay for the use of SCC. There is no requirement to pay, but they do provide suggested amounts with the minimum being $1500 per year. As of the newly released version (5.7.1), there is now a dialog box on every third application launch if you have not paid for it.

To their credit, since DISA dropped funding, they have been pushing out updates like I’ve never seen before. They have created “enhanced” benchmarks (available on NIWC’s Enhanced SCAP Content Repository (link below), and not on the DISA Cyber Exchange where the standard SCAP benchmarks are located. With this enhanced content, they have added the capability to answer manual questions through the SCC app, they also have added functionality to create the .ckl files directly in SCC. They are trying to stay relevant.
Enhanced SCAP Content Repository: https://www.niwcatlantic.navy.mil/scap/scap-content-repository/

Note: the version numbers do differ between standard and enhanced benchmarks to allow both to be imported into SCC. The format is DISA Version + NIWC Version. For brevity, NIWC drops the leading zeros on the DISA version number and adds their version number to the right. If DISA updates their version and NIWC does not, the first two digits will change to reflect the new DISA version while the last digit will remain the same.

Example: Microsoft IIS 10.0 Server STIG SCAP Benchmark STIG Manual Version: 2.8  and the Enhanced Benchmark: 2.8.2

So, what other SCAP tools exist from the DoD? I’m glad you asked! NSWC Crane has developed a tool called Evaluate-STIG that picks up steam in the DoD. It has official approvals in DADMS for Navy, Army has it listed in eMASS with an Assess Only ATO (eMASS ID 4546), NAVAIR, and NMCI (CCSW eMASS ID 13969 and UCSW eMASS ID 14441. While SCC provides both a command line and a graphical user interface, Evaluate-STIG is simply a PowerShell script that automatically scans and documents STIG compliance. Evaluate-STIG also has significantly more functionality. It can scan your local or remote machine(s) to identify all applicable STIGs (who hasn’t forgotten a STIG or two?) and then scans the target machines for compliance with those applicable STIGs. Evaluate-STIG also automates significantly more STIGs than SCC. As of 3/16/2023, Evaluate STIG supports 81 STIGs while SCC supports only 26. Lastly, Evaluate-STIG provides the capability to create an answer key for known opens and findings that cannot be evaluated through technical means (i.e., policy checks).
While SCC has been publicly available since version 5.4, Evaluate-STIG does require a CAC to obtain. The following links will provide access to the download.

BAI’s STIG 101 class is in the process of being updated to include Evaluate-STIG in the hands-on lab and should be integrated in class beginning April 2023. It is currently incorporated into the lecture.

Course Description

See upcoming STIG 101 Classes!


Post Categories: Continuous MonitoringRMF TrainingSecurity Technical Implementation GuidesUncategorized Tags: